Bug 690183 - hotplug of usb hostdev can crash libvirt
Summary: hotplug of usb hostdev can crash libvirt
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libvirt
Version: 6.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Eric Blake
QA Contact: Virtualization Bugs
URL:
Whiteboard:
: 690379 (view as bug list)
Depends On: 642785
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-23 14:25 UTC by Eric Blake
Modified: 2011-05-19 13:29 UTC (History)
8 users (show)

Fixed In Version: libvirt-0.8.7-15.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-19 13:29:29 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0596 0 normal SHIPPED_LIVE libvirt bug fix and enhancement update 2011-05-18 17:56:36 UTC

Description Eric Blake 2011-03-23 14:25:36 UTC 
Description of problem:
bug 642785 introduced a regression in hot-plugging usb hostdev devices, which crashes libvirtd

Version-Release number of selected component (if applicable):
libvirt-0.8.7-14.el6

How reproducible:
100%

Steps to Reproduce:
# cat usb.xml 
<hostdev mode='subsystem' type='usb'>
  <source>
    <address bus='0x001' device='0x003'/>
  </source>
</hostdev>
# virsh attach-device vm1 usb.xml
error: Failed to attach device from usb.xml
error: server closed connection: 
  
Actual results:
libvirtd dies from a NULL deref

Expected results:
hotplug should work

Additional info:
Latent bug introduced in commit b4d3434f, exposed by commit
f2512684. Solved in upstream commit:
commit bcac844f4f21b7aa6501af81efcc1aaa703ba756
Author: Wen Congyang <wency.com>
Date:   Wed Mar 23 10:02:15 2011 +0800

    Initialization error of qemuCgroupData in Qemu host usb hotplug
    
    Steps to reproduce this bug:
    # cat usb.xml
    <hostdev mode='subsystem' type='usb'>
      <source>
        <address bus='0x001' device='0x003'/>
      </source>
    </hostdev>
    # virsh attach-device vm1 usb.xml
    error: Failed to attach device from usb.xml
    error: server closed connection:
    
    The reason of this bug is that we set data.cgroup to NULL, and this will cause  libvirtd crashed.
Comment 1 Eric Blake 2011-03-23 14:27:24 UTC 
In POST:
http://post-office.corp.redhat.com/archives/rhvirt-patches/2011-March/msg00627.html
Comment 3 koka xiong 2011-03-24 06:08:11 UTC 
*** Bug 690379 has been marked as a duplicate of this bug. ***
Comment 5 Alex Jia 2011-03-30 07:21:33 UTC 
I can reproduce the bug on rhel6.1(2.6.32-120.el6.x86_64) with libvirt-0.8.7-14.el6.

And the bug has been verified on rhel6.1(2.6.32-120.el6.x86_64) with libvirt-0.8.7-15.el6.x86_64.


# virsh list 
 Id Name                 State
----------------------------------
  1 vr-rhel6-x86_64-kvm  running

# service libvirtd status
libvirtd (pid  3099) is running...

# lsusb
Bus 007 Device 003: ID 413c:2003 Dell Computer Corp. Keyboard
Bus 007 Device 002: ID 0461:4d22 Primax Electronics, Ltd 
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 0ed1:6981 WinMaxGroup 
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

# virsh nodedev-dumpxml usb_1_3
<device>
  <name>usb_1_3</name>
  <parent>usb_usb1</parent>
  <capability type='usb_device'>
    <bus>1</bus>
    <device>5</device>
    <product id='0x6981'>Miniking Device</product>
    <vendor id='0x0ed1'>aigo</vendor>
  </capability>
</device>

# cat usb.xml 
    <hostdev mode='subsystem' type='usb' managed='yes'>
      <source>
        <address bus='0x001' device='0x002'/>
      </source>
    </hostdev>

# virsh attach-device vr-rhel6-x86_64-kvm usb.xml
Device attached successfully

# virsh dumpxml vr-rhel6-x86_64-kvm
<domain type='kvm' id='1'>
  <name>vr-rhel6-x86_64-kvm</name>
......
    <hostdev mode='subsystem' type='usb' managed='yes'>
      <source>
        <address bus='1' device='2'/>
      </source>
      <alias name='hostdev0'/>
    </hostdev>
.....

In addition, I can find the usb device on guest by lsusb, and I can also mkdir a directory and touch a file in the usb device. 


# ps -ef | grep qemu-kvm
qemu      2802     1  2 14:01 ?        00:00:35 /usr/libexec/qemu-kvm -S -M rhel6.1.0 -enable-kvm -m 512 -smp 1,sockets=1,cores=1,threads=1 -name vr-rhel6-x86_64-kvm -uuid fbe7bfbe-3e92-2e86-c678-9524e45eed8b -nodefconfig -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/vr-rhel6-x86_64-kvm.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -boot c -drive file=/var/lib/libvirt/images/vr-rhel6-x86_64-kvm,if=none,id=drive-ide0-0-0,format=raw -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 -netdev tap,fd=22,id=hostnet0 -device e1000,netdev=hostnet0,id=net0,mac=52:54:00:4f:83:c7,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -usb -vnc 127.0.0.1:0 -k en-us -vga cirrus -device AC97,id=sound0,bus=pci.0,addr=0x4 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
root      4893  2849  0 14:21 pts/2    00:00:00 grep qemu-kvm
Comment 8 errata-xmlrpc 2011-05-19 13:29:29 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0596.html
Note You need to log in before you can comment on or make changes to this bug.